Friday’s security updates

By jake

Arch Linux has updated openssl
(certificate verification botch).

CentOS has updated php (C6: many
vulnerabilities, some from 2014).

Debian has updated pdns (full fix
for denial of service) and pdns-recursor
(full fix for denial of service).

Gentoo has updated adobe-flash
(multiple vulnerabilities, one from 2014), chromium (multiple vulnerabilities), mysql (multiple vulnerabilities), net-snmp (denial of service from 2014), openssl (certificate verification botch), oracle-jre-bin (multiple vulnerabilities, some
from 2014), perl (denial of service from
2013), portage (certificate verification
botch from 2013), pypam (code execution
from 2012), and t1utils (multiple vulnerabilities).

Mageia has updated openssl
(certificate verification botch).

openSUSE has updated MariaDB
(13.2, 13.1: many vulnerabilities, some from 2014).

Oracle has updated php (OL6: many
vulnerabilities, some from 2014).

Red Hat has updated php (RHEL6:
many vulnerabilities, some from 2014) and php54-php (RHSC2: multiple vulnerabilities).

Scientific Linux has updated php
(SL6: many vulnerabilities, some from 2014).

Slackware has updated openssl
(certificate verification botch).

Ubuntu has updated firefox
(15.04, 14.10, 14.04: multiple vulnerabilities) and nss (two vulnerabilities).

From: LWN

Security advisories for Thursday

By jake

Debian has updated python-django
(two vulnerabilities).

Mageia has updated bind (denial
of service), cups-filters (two code
execution vulnerabilities), flash-player-plugin (many vulnerabilities), openssh (access restriction bypass), and virtuoso-opensource (multiple unspecified vulnerabilities).

openSUSE has updated flash-player
(11.4: unspecified vulnerabilities), libwmf
(13.2, 13.1: multiple vulnerabilities), mysql-community-server (13.2, 13.1: cipher
downgrade), tiff (13.2, 13.1: multiple
vulnerabilities), and wireshark (13.2: two
denial of service vulnerabilities).

Red Hat has updated flash-plugin
(RHEL5&6: many vulnerabilities).

SUSE has updated flash-player
(SLE12: many vulnerabilities).

Ubuntu has updated python-django
(two vulnerabilities).

From: LWN

A new OpenSSL vulnerability

By corbet The OpenSSL project has disclosed a new
certificate validation vulnerability. “During certificate
verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will
attempt to find an alternative certificate chain if the first attempt to
build such a chain fails. An error in the implementation of this logic can
mean that an attacker could cause certain checks on untrusted certificates
to be bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and ‘issue’ an invalid certificate.

This is thus a client-side, man-in-the-middle vulnerability.

From: LWN

The Critical Infrastructure Initiative census project

By corbet The Criticial Infrastructure Initiative (a Linux Foundation effort to
direct resources to critical projects in need of help) has announced a census
project
to identify the development projects most in need of
assistance. “Unlike the Fed’s stress tests, which are opaque, all of
the census data and analysis is open source. We are eager for community
involvement. We encourage developers to fork the project and experiment
with different data sources, different parameters, and different algorithms
to test out the concept of an automated risk assessment census. We are also
eager for input to help sanitize and complete the data that was used in
this first iteration of the census.

From: LWN

Security advisories for Wednesday

By ris

Arch Linux has updated bind (denial of service) and flashplugin (code execution).

Debian has updated bind9 (denial of service).

Debian-LTS has updated linux-ftpd-ssl (segmentation fault).

openSUSE has updated flash-player
(13.2, 13.1: code execution).

Oracle has updated abrt (OL6: multiple vulnerabilities).

Scientific Linux has updated abrt
(SL6: multiple vulnerabilities).

Slackware has updated bind
(denial of service), cups (code execution), firefox (multiple vulnerabilities), and ntp (denial of service).

SUSE has updated bind (SLE11SP3:
denial of service) and Xen (SLES10SP4: two vulnerabilities).

Ubuntu has updated bind9 (15.04,
14.10, 14.04, 12.04: denial of service) and libwmf (15.04, 14.10, 14.04, 12.04: multiple vulnerabilities).

From: LWN

[$] Self-hosting projects with Gogs

By n8willis In May, we noted the problems that
GIMP and other free-software projects have encountered of late with
the SourceForge project-hosting service. While there are plenty of alternative
hosting providers to choose from, some developers will likely always
prefer to self-host their projects—precisely because an outside
service provider can make just such an abrupt or surprising about-face. Gogs is one option for those taking the
self-hosting approach:
it provides a web-based front-end to a GitHub-like hosting service.
Gogs offers quite a few features, but its choice of GitHub-like qualities may not be to everyone’s tastes.

From: LWN

ownCloud 8.1 released

By corbet The ownCloud
8.1 release
is out. “This release marks significant under the
hood improvements, such as increasing scalability and performance of
syncing and file operations while making ownCloud a better platform for
developers to build upon. Security enhancements, integrated documentation
links, more control in the admin panel over external storage, LDAP and
encryption make ownCloud more secure and easier to use.
” See the
release notes
for details.

From: LWN